nts: reset NAK indicator with new request

Don't restart NTS-KE if a spoofed NAK response was received and no valid
response is received for a subsequent request.

doc/chronyc.adoc

@@ -599,8 +599,8 @@ This column shows the number of attempts to perform the key establishment since
 the last successful key establishment. A number larger than 1 indicates a
 problem with the network or server.
 *NAK*:::
-This column shows whether an NTS NAK was received since the last authenticated
-response. A NAK indicates that authentication failed on the server side due to
+This column shows whether an NTS NAK was received since the last request.
+A NAK indicates that authentication failed on the server side due to
 *chronyd* using a cookie which is no longer valid and that it needs to perform
 the key establishment again in order to get new cookies.
 *Cook*:::

nts_ntp_client.c

@@ -335,6 +335,7 @@ NNC_GenerateRequestAuth(NNC_Instance inst, NTP_Packet *packet,
 
   inst->num_cookies--;
   inst->cookie_index = (inst->cookie_index + 1) % NTS_MAX_COOKIES;
+  inst->nak_response = 0;
   inst->ok_response = 0;
 
   return 1;

test/unit/nts_ntp_client.c

@@ -82,9 +82,11 @@ get_request(NNC_Instance inst)
   info.mode = MODE_CLIENT;
   info.length = random() % (sizeof (packet) + 1);
 
+  if (inst->num_cookies > 0 && random() % 2) {
     inst->num_cookies = 0;
 
     TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info));
+  }
 
   while (!NNC_PrepareForAuth(inst)) {
     inst->next_nke_attempt = SCH_GetLastEventMonoTime() + random() % 10 - 7;